This credential phishing attack features an impersonation of MetaMask, a software cryptocurrency wallet. After compromising the domain “beykozvakfi[.]org.tr”, the attacker changes the sender name to “MetaMask” to appear more legitimate. The email explains that due to a new “Know Your Customer” (KYC) verification process, the recipient’s cryptocurrency wallet will be suspended until they have logged in to verify their account. KYC processes are well-known in the financial industry to verify identity and protect against fraud.

The attacker uses authoritative-sounding language and social engineering techniques to create a sense of urgency to trick the target into believing they will lose access to their funds—a common outcome for users who do not follow proper protocols. A link where the recipient can update their account information is provided at the bottom of the email. However, the link likely leads to a credential phishing website where login credentials and other sensitive information are at risk. 

Older, legacy security tools struggle to correctly identify this email as an attack because of the legitimate sender domain, lack of attachments, and limited functionality to detect a phishing link in the body of the email. Modern, AI-powered email security solutions detect the unknown sender and domain, suspicious links, and urgent language in the email to accurately flag this as an attack.

Status Bar Dots
Nov1 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate Sender Domain: The email comes from a legitimate domain, support@beykozvakfi[.]org.tr, which is not a free email provider. This can bypass legacy security tools that primarily flag emails from unknown or suspicious domains.
  • Lack of Attachments: The email does not contain any attachments, often a focus of traditional security tools looking for malicious files or scripts.
  • Phishing Link in Body: The email contains a phishing link in the body text. Traditional security tools may not thoroughly scan the body text for malicious links, especially if they are well-disguised.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender and Domain: The domain and the email used to send this message are unknown to the recipient's company. Abnormal flags unknown senders and domains as potential threats.
  • Suspicious Link in Body: Abnormal scans the body text of emails for malicious links. The link in this email's body text was flagged as potentially harmful.
  • Urgent Language in Subject and Body: Abnormal detects the use of urgent and threatening language in the email's subject and body, a common social engineering tactic used in phishing attacks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

External Compromised Account
Spoofed Display Name
Masked Phishing Link

Theme

Account Verification
Cryptocurrency

Impersonated Party

Brand

Impersonated Brands

MetaMask

See How Abnormal Stops Emerging Attacks

See a Demo